General information about the processing of your data

As required by law, we inform you below about the processing of your personal data (hereinafter referred to as “data”) when you use our website. The protection of your personal data is a top priority for us. This data protection information provides you with an overview of the details of the processing of your data and your legal rights in this regard. The terms “personal data” and “processing” are based on the legal definitions in accordance with Art. 4 GDPR. We reserve the right to adapt the privacy policy in the future, in particular in the event of further developments of the website, the use of new technologies or changes to the legal framework and the corresponding case law. We recommend that you read the privacy policy regularly and make a copy for your records.

Scope of application

The privacy policy applies to all pages of www.wildeshauser-hof.de and www.wildeshauser-hof.com. However, it does not include the websites or internet presences of other providers that link to our website

Person responsible

The responsibility for the processing of personal data that fall within the scope of this privacy policy lies with

Hotel Huntetal Gmbh & Co KG

Im Hagen 3

27793 Wildeshausen

Phone: +49 4431 9400

E-mail: info[at]wildeshauser-hof.de

Questions about data protection

If you have any questions about data protection in relation to our company or our website, you are welcome to contact our lawyer and data protection officer:

Law firm Arne Kai Hübner

Welgenhöhe 2

27793 Wildeshausen

huebner[at]ak-huebner.de

Security

We have taken comprehensive technical and organizational measures to protect your personal data from unauthorized access, misuse, loss and other external interference. To this end, we regularly review our security precautions and adapt them to the current state of the art.

Your rights

With regard to the processing of your personal data, you have the following rights that you can assert against us:

• Right to information: In accordance with Art. 15 GDPR, you have the right to request information about the processing of your personal data.
• Right to rectification: If your personal data is incorrect or incomplete, you can request the correction or completion of the data in accordance with Art. 16 GDPR.
• Right to erasure: In accordance with Art. 17 GDPR, you can request the erasure of your personal data.
• Right to restriction of processing: You have the right to request a restriction of the processing of your data in accordance with Art. 18 GDPR.
• Right to object: You can object to the processing of your personal data at any time if this is based on Art. 6 para. 1 sentence 1 lit. e) or lit. f) GDPR. This applies in particular if your particular situation gives rise to reasons against the processing (Art. 21 para. 1 GDPR). In this case, we will cease processing unless there are compelling legitimate grounds that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. You can also object to the processing of your data for direct marketing purposes - including any profiling in connection with direct marketing - at any time in accordance with Art. 21 (2) GDPR.
• Right to withdraw consent: If you have consented to the processing of your personal data, you can withdraw your consent at any time in accordance with Art. 7 (3) GDPR.
• Right to data portability: According to Art. 20 GDPR, you have the right to receive the data you have provided to us in a structured, commonly used and machine-readable format. In addition, you may request that this data be transferred to another controller, provided that the requirements of Art. 20 para. 1 lit. a, b GDPR are met.

To assert your rights, you can contact the contact details listed in the “Controller” section or the data protection officer appointed by us.

Right to lodge a complaint: If you believe that the processing of your personal data violates applicable data protection law, you have the right to lodge a complaint with a data protection supervisory authority of your choice in accordance with Art. 77 GDPR. Responsible for us is:

The State Commissioner for Data Protection of Lower Saxony

P.O. Box 221, 30002 Hanover

Phone: 0511/120-4500, Fax: 0511 120-4599

E-mail: poststelle@lfd.niedersachsen.de

Use of our website

You can use our website anonymously and for purely informational purposes without revealing your identity. When you access the individual pages of the website, access data is only transmitted to our web space provider to enable you to view the website. The following data is processed:

• Browser type/browser version,
• operating system used,
• Language and version of the browser software,
• Date and time of access,
• Host name of the accessing end device,
• IP address,
• Content of the request (specific website),
• Access status/HTTP status code,
• Websites that are accessed via the website,
• Referrer URL (the previously visited website),
• Message indicating whether the call was successful,
• Time zone difference to GMT and
• amount of data transferred.

The temporary processing of this data is necessary to ensure the smooth running of a website visit and to deliver the website to your end device in a technically correct manner. The access data is not used to identify individual users and is not combined with other data sources. Additional storage in log files is carried out to ensure the functionality of the website and the security of our IT systems. The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. f) GDPR. Our legitimate interest lies in ensuring the functionality, stability and security of the website.

The storage of access data, in particular the IP address, over a longer period of time enables us to recognize and ward off potential misuse. This includes, for example, defense against overload attacks (DDoS) or automated bot use. The stored access data is deleted as soon as it is no longer required for the purpose for which it was processed. In the case of data processing for the provision of the website, this happens as soon as you leave the website.

Log data is only made accessible to administrators and is generally deleted after seven days at the latest. After this period, they are only indirectly available via backups and are permanently deleted after a maximum of four weeks.

You have the right to object to processing if there are grounds relating to your particular situation. You can address your objection to us using the contact details provided in the “Controller” section.

Tracking

In addition to the aforementioned access data, cookies, pixels, browser fingerprinting and other tracking technologies are also used when using the website. Cookies are small text files that contain a sequence of numbers and are stored locally in the cache of the browser used. Pixels are invisible one-pixel images that are opaque or integrated into the background color of the website and collect information about your user behavior on the website. Fingerprinting technologies create a unique fingerprint based on the settings of your browser, allowing an individual browser to be identified. Through a script that each Internet browser automatically executes, information such as screen resolution, fonts used, operating system, hardware information and installed browser plug-ins can be collected. These specific combinations can ultimately lead to a specific user being identified.

The use of these tracking technologies serves to make our website more user-friendly. Their use may be both technically necessary and for other purposes, such as analyzing and evaluating website usage.

Technically necessary elements

Some elements of our website require that the user's browser can be identified even after a page change. In the case of these technically necessary elements, in particular cookies or similar methods of accessing end devices, the following data is processed in order to carry out electronic communication or to provide an information society service requested by the user:

• Language settings
• Bookings
• Log-in information

The user data collected by these technically necessary elements is not used to create user profiles. We also use so-called “session cookies”, which store a session ID in order to assign various requests from your browser to a common session. These “session cookies” are essential for the use of the website. In particular, they enable us to recognize the device you are using when you return to the website. We use this cookie to recognize you on future visits to the website. The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. f) GDPR. Our legitimate interest in the processing is to provide the aforementioned special functionalities and to make the use of the website more attractive and effective.

The “session cookies” are deleted as soon as you close the browser, depending on the browser you are using and the browser settings you have made.

You have the right to object to the processing. You have the right to object if there are grounds relating to your particular situation. You can address your objection to us using the contact details provided in the “Controller” section.

Technically unnecessary tracking

On our website, we also use cookies, pixels, browser fingerprinting and other tracking technologies to analyze the surfing behavior of users. Among other things, the following data is stored and processed:

Frequency of page views,

Use of website functions. The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. a) GDPR. Technically unnecessary cookies, pixels and other tracking technologies are automatically deleted after a specified period, which may vary depending on the tracking method used. If we integrate third-party cookies or pixels and similar tracking technologies into our website, we will inform you of this separately.

You have the option to withdraw your consent to processing by the respective provider at any time by moving the slider back in the “Individual data protection settings” of the consent tool. The lawfulness of the processing remains unaffected until the time of withdrawal.

Contacting our company

When you contact our company, for example by email or via the contact form on our website, we process the personal data you provide in order to process your request. To use the contact form, you must provide your first name and surname (or a pseudonym) and a valid e-mail address.

The legal basis for this processing is Art. 6 para. 1 p. 1 lit. f) GDPR, insofar as the processing is based on our legitimate interest in processing your request, or Art. 6 para. 1 p. 1 lit. b) GDPR, if the contact is aimed at the conclusion of a contract. If your details are required for the conclusion of a contract, the provision of this data is mandatory. Without this information it is not possible to conclude a contract or process your request.

The processing of personal data from the contact form serves exclusively to process your request. If you contact us by email, our legitimate interest also lies in processing your request. In addition, further data is processed during the sending process in order to prevent misuse of the contact form and to ensure the security of our IT systems. The data will not be passed on to third parties in this context.

The data collected will be deleted as soon as it is no longer required to process your request - usually two years after the communication has been completed. If there is a legal obligation to retain data, we will restrict processing accordingly.

You have the right to object to the processing if it is based on Art. 6 para. 1 sentence 1 lit. f) GDPR. Your right to object applies if there are grounds relating to your particular situation. You can submit your objection to us using the contact details provided in the “Controller” section.

Processing for contractual purposes

We process your personal data if this is necessary in order to prepare, conclude, execute or terminate a legal transaction with our company. The legal basis for this is Art. 6 para. 1 sentence 1 lit. b) GDPR. Your data is required in this context because it is necessary for the conclusion of the contract. For example, you must provide your data if you wish to attend one of our events as a guest or speaker. Without this information, it is not possible to conclude or execute the contract.

After the purpose has been fulfilled, such as the execution of the contract, your personal data will either be blocked or deleted unless you have given us your consent to further processing (e.g. for the receipt of advertising emails), there is a contractual agreement, a legal authorization (e.g. for direct advertising) or a legitimate interest on our part (e.g. to enforce claims).

Your personal data will only be passed on to third parties if this is necessary for the initiation, execution or termination of a legal transaction, for example when transferring data to payment service providers or shipping companies for contract processing (Art. 6 para. 1 sentence 1 lit. b) GDPR). Data may also be passed on to subcontractors or vicarious agents that we use exclusively to provide the services you have requested. These auxiliary persons are only authorized to process the data within the scope of the necessary provision of services.

In addition, your data will only be passed on in the following cases:

• In the event of an enforceable official or court order (Art. 6 para. 1 sentence 1 lit. c) GDPR)
• If we are legally obliged to do so (Art. 6 para. 1 sentence 1 lit. c) GDPR)
• If processing is necessary in order to protect the vital interests of the data subject or of another natural person (Art. 6 para. 1 sentence 1 lit. d) GDPR)
• If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (Art. 6 para. 1 sentence 1 lit. e) GDPR)
• If we can rely on our legitimate interests or those of a third party for disclosure (Art. 6 para. 1 sentence 1 lit. f) GDPR)

Any further transfer of your personal data to other persons, companies or bodies will only take place if you have given us your express consent to do so. In this case, the legal basis is Art. 6 para. 1 sentence 1 lit. a) GDPR. We will inform you about the respective recipients in connection with the corresponding processing operations as part of this data protection notice.

Online booking

If you wish to reserve a hotel room via our website using the online booking system, we process the following personal data: Your first and last name, your address, e-mail address, travel dates and the desired room category. In order to initiate and conclude the contract, it is necessary for you to provide certain personal data such as your name, address, travel duration, payment information and e-mail address. Mandatory fields that are required for the booking process are marked accordingly; additional information is voluntary.

Your data will be processed to process your booking. As part of the processing, we transmit payment information in particular to the payment service provider you have selected or to our house bank. We also use the booking system of Cultuzz Digital Media GmbH 10623 Berlin; hereinafter referred to as “Cultuzz”). By using the online booking system, “Cultuzz” receives the data required for processing (e.g. length of stay, reservation number, accommodation). The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. b) GDPR.

Obligation to provide data

The provision of your personal data is mandatory for the conclusion and execution of the contract. Without this information, neither a booking nor the execution of the contract can take place.

Security of your data

To protect your personal data from unauthorized access, the booking process on our website is encrypted using SSL technology.

Storage and deletion of data

The data collected will be deleted as soon as it is no longer required for the original purpose of processing. If statutory retention obligations exist, the data will be further processed for these purposes to a limited extent. In accordance with commercial and tax regulations, we are obliged to store address, payment and booking data for up to ten years. Two years after conclusion of the contract, we restrict processing to compliance with legal requirements.

Further information on data processing by “Cultuzz” can be found at the following link: https://www.cultbooking.com/de/datenschutzerklarung-dsgvo/

Processing of personal data in accordance with Section 30 of the Federal Registration Act (BMG)

Accommodation facilities, in particular hotels, are obliged under Section 30 of the Federal Registration Act (BMG) to collect the following data from the guest on the day of arrival and to have the guest sign the registration form by hand or confirm any electronically collected data using special authentication procedures in accordance with Section 29 (5) BMG:

• Date of arrival and expected departure
• Surnames
• First names
• Date of birth
• Nationalities
• Address
• Number of fellow travelers and their nationality in the cases of Section 29 (2) sentences 2 and 3 BMG
• Serial number of the recognized and valid passport or passport replacement document for foreign persons
• Further data on the collection of tourism and spa contributions

For travel groups consisting of more than 10 people, it is sufficient to record only the personal data of the tour guide. They must state the number of travelers and their nationality. We are legally obliged to collect, process and pass on this data in accordance with the Federal Registration Act (BMG). The legal basis for this processing results from Art. 6 para. 1 sentence 1 lit. c) GDPR in conjunction with § 30 para. 1, para. 4 and § 29 para. 2 to 5 BMG. As our guest, you are legally obliged to provide your data. Without this information, it is not possible to conclude a contract or provide accommodation. We must retain the completed registration forms for submission to the responsible local regulatory authorities in order to meet their requirements.

The data processed by us will be deleted one year and three months after your date of arrival or the processing will be restricted as soon as this is permitted under the provisions of the BMG, unless you have given us your consent to further processing in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR or there is another legitimate interest on our part in the continued processing.

E-mail marketing

Existing customer acquisition

We reserve the right to use the e-mail address that you have provided to us when booking a hotel room or registering for an event in accordance with the legal requirements in order to send you the following content by e-mail during or after your booking, provided that you have not already objected to the use of your e-mail address:

• Information about your stay and other travel-related offers from our hotel
• News about current special offers
• Details of our hotel and other services
• Individual advice and support for our guests
• Satisfaction surveys after your stay or event visit
• Information on leisure activities and events at our hotel
• Information on your arrival and departure in preparation for your stay
• Invitations to events organized by our company

If the sending of such electronic information is necessary for the performance of your contract, your data will be processed on the legal basis of Art. 6 para. 1 sentence 1 lit. b) GDPR. In these cases, you are obliged to provide us with your data. Otherwise, it will not be possible for us to send you this information by email.

In the event that the sending of electronic information is not necessary for the execution of the contract (e.g. purely informative emails), your data will be processed on the basis of Art. 6 para. 1 sentence 1 lit. f) GDPR. Our legitimate interest lies in the improvement and optimization of our service offers, the sending of direct advertising and ensuring your satisfaction as a guest. Your data will be deleted in this context no later than three years after termination of the contract, unless you revoke your consent beforehand.

We use the services of Bremer Medien GmbH, 28816 Stuhr (hereinafter referred to as “Bremer Medien”) to send e-mails, in particular for guest satisfaction surveys. If you have made a booking via the online booking system, the personal data you provide (e.g. name, length of stay, hotel name and e-mail address) will be processed by Best Western in order to send you a satisfaction survey after your stay. The processing is carried out on the basis of Art. 6 para. 1 sentence 1 lit. f) GDPR. Our legitimate interest lies in the use of this service provider to optimize the dispatch and targeted management of guest feedback. Further information, including details on the storage period, can be found in Bremer Medien's privacy policy at: https://www.bremermedien.de/datenschutz/.

Please note that you can object to the processing of your data for the purpose of direct marketing at any time without incurring any costs other than the transmission costs according to the basic rates. You can exercise your right to object (pursuant to Art. 21 (2) GDPR) at any time without giving reasons. To do so, you can either use the unsubscribe link in the respective email or send your objection to the contact details specified in the “Controller” section.

Payment Service Provider (PSP)/ Payment service provider

PayPal

On our website, you have the option of processing payments via the “PayPal” service. The provider of this payment service is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter referred to as “PayPal”). In order to make a payment, it is necessary for you to log into your PayPal account. The payment data you provide to PayPal will be processed by PayPal to process the payment. Further information on data processing by PayPal can be found at: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

To allocate your payment, we process your delivery or billing address, your e-mail address and the payment method you have selected. This data is deleted as soon as it is no longer required, or processing is restricted if there are statutory retention obligations. Due to commercial and tax law requirements, we are obliged to store your address, payment and order data for up to ten years. Two years after termination of the contract, processing is restricted and reduced to the fulfillment of legal obligations.

The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. b) GDPR. The provision of your payment data is necessary for the conclusion and execution of the contract. Without this data, it is not possible to process the payment via PayPal.

PayPal Plus Services without a PayPal account

If you use the PayPal services “SEPA direct debit”, “credit card” or “purchase on account” for payment, PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter referred to as “PayPal”) processes the personal data required for payment processing. No separate PayPal account is required for these services. Further information on data processing by PayPal can be found at

https://www.paypal.com/de/webapps/mpp/ua/legalhub-full?locale.x=de_DE

or

https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE.

In this case, we will also process the payment method you have specified in connection with your booking. The data will be deleted as soon as it is no longer required, or processing will be restricted if there are statutory retention obligations. Due to commercial and tax law requirements, we are obliged to store your address, payment and order data for up to ten years. Two years after termination of the contract, processing is restricted and reduced to compliance with legal obligations.

The legal basis for this processing is also Art. 6 para. 1 sentence 1 lit. b) GDPR. The provision of your payment data is necessary for the conclusion of the contract and the execution of the payment. Without this data, it is not possible to process the payment via the PayPal services you have selected.

Credit card payment

In order to process credit card payments, we transmit the necessary payment data to the credit institution entrusted with processing the payment or to the payment and invoicing service provider commissioned by us, if applicable. This processing is carried out on the basis of Art. 6 para. 1 sentence 1 lit. b) GDPR. The provision of your payment data is necessary and mandatory for the conclusion and performance of the contract. Without the provision of this data, it is not possible to conclude a contract and/or make a credit card payment.

The data required for payment processing is transmitted securely via the “SSL” procedure and processed exclusively for this purpose. The data collected in connection with payment processing will be deleted as soon as it is no longer required, or processing will be restricted if there are statutory retention obligations. Due to mandatory commercial and tax regulations, we are obliged to store your address, payment and order data for up to ten years. Two years after termination of the contract, processing will be restricted so that it is only used to fulfill existing legal obligations.

Purchase on account

In the case of “purchase on account”, we reserve the right to pass on the data you provide when ordering to external companies (e.g. Verband der Vereine Creditreform e.V., D-41460 Neuss) to carry out a credit check. The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. f) GDPR. Our legitimate interest lies in the prevention of fraud and the avoidance of default risks, as we make advance payments for “purchase on account”.

We use the data transmitted to us by your bank as part of the “purchase on account” payment process for invoice verification. The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. b) GDPR. Your payment data is required and mandatory for the conclusion of the contract and the execution of the purchase. It is not possible to conclude a contract and/or carry out a “purchase on account” without providing this data.

The data collected in connection with this payment method will be deleted as soon as it is no longer required, or processing will be restricted if there are statutory retention obligations. Due to mandatory commercial and tax regulations, we are obliged to store your address, payment and order data for up to ten years. Two years after the end of the contract, processing is restricted so that it is only used to fulfill existing legal obligations.

You have the right to object to the processing insofar as this is based on the legal basis pursuant to Art. 6 para. 1 sentence 1 lit. f) GDPR. You can exercise your right to object on grounds relating to your particular situation. Please send us your objection using the contact details provided in the “Controller” section.

Law enforcement / address investigation / debt collection

In the event of non-payment, we reserve the right to pass on the data provided when placing the order to a lawyer or external debt collection agency to determine the address and/or to enforce legal claims. The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. f) GDPR. Our legitimate interest lies in the prevention of fraud and the avoidance of default risks. We may also pass on your data to protect our rights and the rights of our affiliated companies, cooperation partners, employees and users of our website if this is necessary.

However, we will not sell or rent your data to third parties under any circumstances. The legal basis for this processing remains Art. 6 para. 1 sentence 1 lit. f) GDPR, as we have a legitimate interest in enforcing our rights. The data collected will be deleted as soon as it is no longer required, or processing will be restricted if there are statutory retention obligations.

You have the right to object to the processing. You can exercise your right to object on grounds relating to your particular situation. Please send us your objection using the contact details provided in the “Controller” section.

Hosting

We use external hosting services from Hetzner Online GmbH, 91710 Gunzenhausen, Germany, to provide the following services: Infrastructure and platform services, computing capacities, storage resources as well as database services, security and technical maintenance services. In the course of these services, all data is processed, including the access data listed under “Use of our website”, which is required for the operation and use of our website. The basis for this data processing is Art. 6 para. 1 sentence 1 lit. f) GDPR. By using external hosting services, we pursue the goal of providing our online offering efficiently and securely.

You have the right to object to the processing of your data. You can exercise your right to object on specific grounds relating to your particular situation. Please send us your objection using the contact details provided in the “Controller” section.

Integration of third-party content

Third-party content is integrated on our website, such as videos, maps and graphics from other websites. This integration requires that the providers of this content (the “third-party providers”) collect the IP addresses of the users. Without the IP address, it is not possible for them to transmit the content to the respective user's browser. The IP address is therefore required to display this content. In the following, we inform you about the services of external providers currently used on our website as well as about the respective processing in individual cases and your existing options for objection or revocation.